Control TLS Negotiation on Delivery on the ESA

Available Languages

Updated:April 16, 2018
Document ID:118955

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to control Transport Layer Security (TLS) negotiation on delivery on the Email Security Appliance (ESA).

    As defined in RFC 3207, "TLS is an extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet. TLS is a popular mechanism for enhancing TCP communications with privacy and authentication."

    Enable TLS on Delivery

    You can require STARTTLS for email delivery to specific domains with either one of these methods described in this document:

    • Use the CLI destconfig command.
    • From the GUI choose Mail Policies > Destination Controls.

    The Destination Controls page or the destconfig command allows you to specify five different settings for TLS for a given domain when you include a domain. In addition, you can dictate whether validation of the domain is necessary.

    TLS Setting Definitions

    TLS Setting Meaning
    Default The default TLS setting that is set when you use the Destination Controls page or the destconfig -> default subcommand used for outgoing connections from the listener to the Message Transfer Agent (MTA) for the domain. The value “Default” is set if you answer no to the question: “Do you wish to apply a specific TLS setting for this domain?”
    1. No TLS is not negotiated for outgoing connections from the interface to the MTA for the domain.
    2. Preferred TLS is negotiated from the ESA interface to the MTA(s) for the domain. However, if the TLS negotiation fails (prior to receiving a 220 response), the SMTP transaction continues “in the clear” (not encrypted). No attempt is made to verify if the certificate originates from a trusted certificate authority. If an error occurs after the 220 response is received, the SMTP transaction does not fall back to clear text.
    3. Required TLS is negotiated from the ESA interface to MTA(s) for the domain. No attempt is made to verify the certificate of the domain. If the negotiation fails, no email is sent through the connection. If the negotiation succeeds, the mail is delivered via an encrypted session.
    4. Preferred (Verify) TLS is negotiated from the ESA to the MTA(s) for the domain. The appliance attempts to verify the domain’s certificate.Three outcomes are possible:
    • TLS is negotiated and the certificate is verified. The mail is delivered via an encrypted session.
    • TLS is negotiated, but the certificate is not verified. The mail is delivered via an encrypted session.
    • No TLS connection is made and, subsequently the certificate is not verified. The email message is delivered in plain text.
    5. Required (Verify) TLS is negotiated from the ESA to the MTA(s) for the domain. Verification of the domain certificate is required. Three outcomes are possible:
    • A TLS connection is negotiated and the certificate is verified. The email message is delivered via an encrypted session.
    • A TLS connection is negotiated, but the certificate is not verified by a trusted Cerfificate Authority (CA). The mail is not delivered.
    • A TLS connection is not negotiated. The mail is not delivered.
    6. Required - Verify Hosted Domains

    The difference between TLS Required - Verify and TLS Required - Verify Hosted Domain options lays in identity verification process. The way how the presented identity is processed and what type of reference identifiers are allowed to be used make a difference about a final result.

    The presented identity is first derived from subjectAltName extension of type  dNSName. If there is no match between the dNSName and one of accepted reference identities (REF-ID), the verification fails no matter if CN exist in subject field and could pass further  identity verification. The CN derived from subject field is validated only when the certificate does not contain any of subjectAltName extension of type dNSName.

    Please review TLS Verification Process for Cisco Email Security for more information.

    Enable TLS on the GUI

    1. Choose Montior > Destination Controls.
    2. Click Add Destination.
    3. Add the destination domain in the Destination field.
    4. Select the TLS support method from the TLS Support drop-down list.
    5. Click Submit in order to submit the changes.

    118955-Control-TLS-Negotiation-ESA-00-00.png

    Enable TLS on the CLI

    This example uses the destconfig command in order to require TLS connections and encrypted conversations for the domain example.com. Note that this example shows that TLS is required for a domain that uses the demonstration certificate pre-installed on the appliance. You can enable TLS with the demonstration certificate for testing purposes, but it is not secure and is not recommended for general use.

    The value "Default" is set if you answer no to the question: "Do you wish to apply a specific TLS setting for this domain?" If you answer yes, choose No, Preferred, or Required.

    ESA> destconfig

    Choose the operation you want to perform:
    - SETUP - Change global settings.
    - NEW - Create a new entry.
    - EDIT - Modify an entry.
    - DELETE - Remove an entry.
    - DEFAULT - Change the default.
    - LIST - Display a summary list of all entries.
    - DETAIL - Display details for one destination or all entries.
    - CLEAR - Remove all entries.
    - IMPORT - Import tables from a file.
    - EXPORT - Export tables to a file.
    []> new

    Enter the domain you wish to configure.
    []> example.com
    Choose the operation you want to perform:
    - SETUP - Change global settings.
    - NEW - Create a new entry.
    - EDIT - Modify an entry.
    - DELETE - Remove an entry.
    - DEFAULT - Change the default.
    - LIST - Display a summary list of all entries.
    - DETAIL - Display details for one destination or all entries.
    - CLEAR - Remove all entries.
    - IMPORT - Import tables from a file.
    - EXPORT - Export tables to a file.
    []> new

    Enter the domain you wish to configure.
    []> example.com

    Do you wish to configure a concurrency limit for example.com? [Y]> N

    Do you wish to apply a messages-per-connection limit to this domain? [N]> N

    Do you wish to apply a recipient limit to this domain? [N]> N

    Do you wish to apply a specific TLS setting for this domain? [N]> Y

    Do you want to use TLS support?
    1. No
    2. Preferred
    3. Required
    4. Preferred - Verify
    5. Required - Verify
    6. Required - Verify Hosted Domains 
    [1]> 3

    You have chosen to enable TLS. Please use the 'certconfig' command to
     ensure that there is a valid certificate configured.

    Do you wish to apply a specific bounce verification
     address tagging setting for this domain? [N]> N

    Do you wish to apply a specific bounce profile to this domain? [N]> N

    Do you wish to apply a specific IP sort preference to this domain? [N]> N

    There are currently 3 entries configured.

    Choose the operation you want to perform:
    - SETUP - Change global settings.
    - NEW - Create a new entry.
    - EDIT - Modify an entry.
    - DELETE - Remove an entry.
    - DEFAULT - Change the default.
    - LIST - Display a summary list of all entries.
    - DETAIL - Display details for one destination or all entries.
    - CLEAR - Remove all entries.
    - IMPORT - Import tables from a file.
    - EXPORT - Export tables to a file.
    []> list

                 Rate               Bounce        Bounce     IP Version  
    Domain       Limiting  TLS      Verification  Profile    Preference  
    ===========  ========  =======  ============  =========  ============
    example.com  Default   On       Default       Default    Default     
    (Default)    On        Off      Off           (Default)  Prefer IPv6

    Revision History

    Revision Publish Date Comments
    1.0
    11-May-2015
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Jerry Orona
      Cisco TAC Engineer
    • Enrico Werner
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products